On Thu, Dec 16, 2010 at 1:32 PM, Pierre Joye <pierre....@gmail.com> wrote:
> hi, > > The more I look at this option the more I think it is confusing. I'm > not sure the gain is worth this confusion either. However I would > prefer to bring back a proposal we had a couple of years ago, to > totally disable post data. When disabled, the POST data will be > totally ignored, no matter if php://input, raw data or whatever other > ways we may have to access it. The data given by the server/sapi will > be ignored. > > This option has the benefit to be very simple and solves one known > attack vector in a very clean way. > > Yeah, but that idea isn't solves the problem which the current one tries to address. So while I think that it would be a good security measure to alllow to disable POST altogether, but that should be discussed/voted in a different thread. So currently we didn't talk about security measures, but performance gains: If somebody wants to write a script, which handles big file uploads, but only writes it to somewhere (to file, or another stream), then currently you have to allocate the memory for the post data twice(see the first email), which is very inefficient if you don't need the $_POST at all. Tyrael
